What is zero wine tryouts?

zero wine tryouts is an open source malware analysis tool.
Just upload your suspicious PE file (Windows executable) through the web interface and let it analyze the behaviour of the process.

zero wine + X = zero wine tryouts

The zero wine tryouts project is a fork of the original zero wine project.
The last modification to the source code of the original project was done back in Jan 2009.

For more information, visit here.

Rule2Alert's goal, is to read in snort rules and generate packets that would make snort produce an alert. It is written entirely in python and utilizes Scapy to craft the packets. It is still under heavy development with myself, Pablo Rincon, and Will Metcalf.

Currently, it is able to generate pcaps based off simple content snort compatible rules. I loaded in the emerging-all.rules file and was able to create a pcap that alerted snort 514 times. The project is not ready to be released yet, but the results look promising so far. This project is currently under the Open Information Security Foundation, as all of the project members are currently working on the new IDS/IPS system Suricata.

Example:

test.rule
----------
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)

famousjs@youbantoo:~/rule2alert$ sudo python r2a.py -vt -c /etc/snort/snort.conf -f rules/test.rule -w test.pcap
Ether / IP / TCP 192.168.0.1:9001 > 1.1.1.1:www S
Ether / IP / TCP 1.1.1.1:www > 192.168.0.1:9001 SA
Ether / IP / TCP 192.168.0.1:9001 > 1.1.1.1:www A
Ether / IP / TCP 192.168.0.1:9001 > 1.1.1.1:www PA / Raw

-------- Hex Payload Start ----------
56 24 5a 63 20 20 20 20
20 68 65 79
--------- Hex Payload End -----------

Loaded 1 rules successfully!
Writing packets to pcap...
Successfully alerted on all loaded rules

OSAM: Autorun Manager v5.0 - against rookits that hide their files!
11-Sep-2009

As mentioned before, a few weeks ago we recommenced the works on our first public product, namely OSAM: Online Solutions Autorun Manager.

Releasing this, fifth, version of the product has turned hard for our company. For a number of reasons of different nature the release data had to be moved several times. However, we managed to brace up and - thanks to join efforts - finally released the new version of the product.

Now, greet OSAM: Online Solutions Autorun Manager v5.0!

The 5th version provides a unique possibility to detect and remove rootkits that hide their files on the hard disk. Hiding registry keys and files rootkit techniques are spreading wider and wider, so our company had nothing to do but invent and implement a solution for detecting and removing such malware. And we did it! OSAM applies algorithms that parse and the structure of file systems on hard disks without involving any mechanisms of the operating system and thus detects and removes almost all the known viruses and other types of malware.

Presently OSAM detects hidden files, in addition to detecting hidden registry entries, which allows for using it in detecting and removing newest and up-to-date viruses.

One-click removal of the Conficker (Downadup) worm using OSAM

I released Buster Sandbox Analyzer 1.0.

Buster Sandbox Analyzer is a malware analyzer using Sandboxie as environment to run programs.

You can follow the development of the tool here:

http://sandboxie.com/phpbb/viewtopic.php?t=6557

And you can download the tool from here:

http://bsa.qnea.de/bsa.rar

Reading the manual before using the tool is necessary.

Hi.

Do you want to analyze malware and you are tired of complicated environments where you almost must be a computer engineer to get it working and the hardware requirements are too exigent for the computer you have? Then the solution is Buster Sandbox Analyzer.

Buster Sandbox Analyzer runs under Windows using Sandboxie (www.sandboxie.com) as environment to run the malwares.

A default installation of Sandboxie, which takes less than 1 minute to install, will be enough to start working with Buster Sandbox Analyzer.

Ether Bunny is a script that I use to automatically startup and run Xen domains, copy files, and then execute them with Ether. It is a quick hack I put together. Most of the variables at the top of the file will need to be changed to match your configuration. This script is made available as-is. If it doesn't work you'll need to debug it on your own. That being said if you find it useful and modify it let me know and I'll be happy to update the public version.

You'll need to get a copy of Winexe as well to remotely run the files. There are some setup instructions at the Winexe page that will help you to configure your host machine.

Here's how I use it:

snoosnoo:/xen# ./eb.py 192.168.0.2 malware.exe
Ether Bunny v0.1 by Danny Quist

Analyzing malware.exe to on VM 192.168.0.50
Destroying old vm image /xen/winxp-sp2-malware-instance/
Restoring vm image...
Starting vm from /etc/xen/ramdisk-winxp-sp2.cfg
Copying malware.exe to VM 1166 at 192.168.0.50
Attempt: 1
Running malware.exe on VM winxp-sp2-ramdisk (1166) 192.168.0.50
Letting program run...
dos charset 'CP850' unavailable - using ASCII
EPOLL_CTL_ADD failed (Operation not permitted) - falling back to select()
Killing ether.
Destroying VM ID: 1166
Aborting...

Download Ether Bunny here.

Danny

Does anyone know of a tool that can perform a static check against an executable to determine the possibility of it being VM-aware? Linux tool is preferred, but I'll take anything at this point.

Thanks,
Rob

Hello, I am trying to find out what exactly is behind the flurry of "Morfeus Fucking Scanner" web-vulnerability scans going on out there. After some research, a lot of people are reporting seeing it but no-one seems to be reporting or linking to an actual tool responsible.

Does anyone have more information on the tool? Any possibility of getting a copy?

Thanks

I'm glad to announce a new version of YARA which includes three new major features, some of them inspired by requests and suggestions of some users out there. They are:

* C-style includes. Now you can include a YARA source file into another just like you do in your C programs with the #include pre-processor directive.

* Metadata in rules. Rules now can contain associated metadata in identifier/value pairs. Metadata information can be string, integer or boolean values. This metadata can be accessed later from the yara-python extension.

* Multi-source compilation in yara-python. A group of YARA source files can be compiled together in yara-python. In this way rules from different sources can be matched at the same time against your data, which is more efficient than compiling and matching each source independently.

Here is an example of the "include" and "metadata" features:

include "./includes/some_other_rules.yar"

rule silent_banker : banker
{
    meta:                                         
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

For more info:
http://code.google.com/p/yara-project/

Turbodiff is a high-performance IDA plugin designed to detect differences between executable binaries.
It works on architectures supported by IDA 4.9 FREE, IDA 5.0 through 5.5.
Turbodiff was developed by Nicolas A. Economou, from the Exploit Writers Team of Core Security Technologies.

The tool's page is here: Coresecurity's Turbodiff

You can also read the
presentation of Turbodiff at Ekoparty '09.

Buenos Aires, Argentina.